| """ |
| interview/permissions.py — Custom DRF permissions for the admin dashboard. |
| """ |
|
|
| from rest_framework.permissions import BasePermission |
|
|
|
|
| class IsAdminRole(BasePermission): |
| """ |
| Allows access only to authenticated users with role='admin' or superusers. |
| Used on all Dashboard-only endpoints to prevent regular students from |
| accessing admin data even if they have a valid JWT. |
| """ |
| message = 'Acceso denegado. Se requiere rol de administrador.' |
|
|
| def has_permission(self, request, view): |
| if not request.user or not request.user.is_authenticated: |
| return False |
| return request.user.is_superuser or getattr(request.user, 'role', '') == 'admin' |
|
|